A number of you may have noticed the article on ZDNet that stated that Mac OS X now has built in Malware protection (actually, I guess Intego made it public). Despite the fact that the articles from Intego and then ZDNet were written prior to the release of the actual operating system (in their defense it was only 3 days prior) they have a point. They were also correct in that this isn't using a standard anti-virus engine such as ClamAV (which many think should be included by default in both Client and Server rather than as just a mail plug-in for Server)… So what is this new anti-malware tool and what's it doing?

The Launch Services API in 10.5 was improved to add a quarantine
function. This is where Apple introduced the new feature that
quarantines incoming files as having been downloaded from the Internet
(aka – a potentially untrustworthy source). Each of these files, when
opened, will state:

"MyApp" is an application downloaded from the Internet. Are you sure you want to open it?

The
warning dialog will also list the attributes from the CFDictionaryRef,
namely the kLSQuarantineAgentNameKey (the name), the
kLSQuarantineTimeStampKey (when you got the file from the untrustworthy
source), the kLSQuarantineTypeKey (what it is – package, disk image,
app, document, etc) and the kLSQuarantineOriginURLKey (which
untrustworthy source you obtained the file from). Clicking Open on the
application will allow it to open. In 10.6, when the application is
opened it will issue a new warning, if the hash matches that of a known
piece of malware that is defined in the malware signatures, that states:

"MyApp's.pkg" will damage your computer. You should move it to the Trash.

The
signatures can be found in the
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Xprotect.plist
file, which contains signatures for OSX.RSPlug.A and OSX.Iservice. The
warning can then be issued based on a signature match of an
Archive.BOM, mounted disk image and a number of other quarantine-able
items. Another new feature that can be found in Snow Leopard's
quarantine is the ability to provide an exception to applications that
have files they bring into the computer quarantined. This can be done
in
the /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist.
Here, you can change the LSFileQuarantineEnabled key for an
application in the dictionary to <false/> (the default is
<true/> for listed items) and the application will then no longer
quarantine files that are downloaded. Given that in order to alter
this file you need root access it is worth noting that if the file is
edited by malware then you likely have larger issues at hand.

In
the future, it would not be surprising to find that there are new
signatures added to XProtect.plist in Security Updates, once Apple is
able to analyze potentially harmful applications and determine whether
or not they are dangerous. Given the extensible nature of the file and
more importantly of the Launch Services API, it is easy to foresee this
as being parlay-able into a more robust framework for future
generations of malware thwarting if and when more applications are
available.